We run VMWare View (now Horizon) in our environment. Our experience is that the built in vmware-view application did not work for us. It seems to expect that all the services will run on one server, which is a little bit unrealistic. I think Palo Alto should have split them down into their individual applications within View rather than trying to bundle them. For instance, you may not want to allow RDP for instance, or USB redirection, but by default they are included. When you start looking to block these it can get tricky and downright just not work because of “rules validation”.
In our case we have separate view hosting and security servers. For us to get it to work correctly we had to configure custom applications, application overrides, and a few rules for view. Note that View was the only application that we had to do this for.
Custom Apps:
Application Override
Rules
Remember that PCoIP streams on UDP/4172. The TCP/4172 side of PCoIP is used for control, which simply looks to be SSL traffic just on a custom port, which is probably why Palo Alto firewalls sees it as SSL.
I'm not a fan of having turn off layer 7 application inspection for these particular servers and ports, but this seemed to be the only option. If anyone else has done this in a more simplified manner, I would love to hear about it.
-Matt
... View more